Search workflows

To build your first search, the Intelligence interface supports a rich language allowing you to start your workflow from any major type of IoC, used individually or potentially combined using query operators. For that, the interface starts with a simple entry point, a search form. To start a search, enter the query you built in the search input field. Explanations around the search form and the query language, its query keys and operators are fully described further in Search page.

For a given query, Knowledge Base provides multiple views on the resulting data. These views are directly accessible through tabs in the interface. These tabs respond to different needs, use cases or potential stages in your workflow, as described below.

IoC Validation

The Summary view (described in Search: Summary tab) provides analytical results to help you understand the severity, the prevalence, and the category of the threats associated with the searched IoC.

The Threat Profile view (described in Search: Threat profile tab) aggregates malicious activities observed in association to the searched IoC(s). This view helps you understand the potential exposure for your company.

IoC Enrichment and Reaction

To support response, the Network IoCs view (described in Search: Network IoCs tab) aggregates related domains and IPs observed in association to the searched IoC(s). This view help you build additional coverage by providing a richer list of IoCs to monitor or block. The enriched IoCs are directly exportable and actionable.

IoC Contextualization

The DNS view described in Search: DNS tab provides you with additional context about the evolution of the network infrastructure used by the threat, such as the re-location of the command and control infrastructure over time.

The Timeline view described in Search: Timeline tab provides timeline information around the searched IoC(s) to help you understand the position of current events with respect to that timeline.

IoC Exploration

The Reports view described in Search: Reports tab points you to related analysis reports that can be browsed for a richer set of details and new IoC(s) to expend the original search.

Alerting Pivoting

After validation, you can pivot to the alerting service at any point in time by saving your search as a rule using the Save rule option from the search form. You will be redirected automatically to Alerting workflows where you can edit the rule before deploying it.